Posted on 11-08-2016 03:17 PM
Hey all,
My school just got setup for Casper last week, at the start everything seemed to work alright, but now the Configuration Profile" that supposed to Bind macs to Active Directory fails.
I can manually bind the Mac to AD.
If i Bind the Mac manually then unbind it, the Configuration Profile runs successfully.
Any help, would be great.
Thanks,
Scott.
Posted on 11-08-2016 04:33 PM
have you tried setting up a binding under Settings > Computer Management > Directory Bindings, and then using that in a policy rather than doing it via config profile?
Posted on 11-08-2016 04:50 PM
I may have actually found the problem, but has caused another problem.
It seems my Domain Controller(s) act like a RODC, when they are in fact Writeable, if i add the computer name manually it binds the Mac, i'll have to have a look further into it.
If anyone else has some suggestions, it would be welcome.
Thanks,
Scott.
Posted on 11-09-2016 06:13 AM
Make sure the AD account you are using to bind has the proper privileges in the OU you are binding.
For instance, the default Computer OU is "CN=Computers,DC=yourdomain,DC=com"
If you are trying to bind into "OU=Macs,DC=yourdomain,DC=com" but the AD account cannot write into that OU, the bind will fail.
Another tip is to use a service account. Give it write privileges for the specific OU, and a complex passcode that does not change. Use that account in the Jamf PRO Directory Binding.
Eric
Posted on 11-09-2016 07:36 AM
I second using a policy with the directory bindings or if you prefer...a script.
I've used a Configuration Profile and had too many problems with it. Systems would randomly not get or lose the profile. I also have more to work with in terms of logs when not using configuration profiles.
I don't think that's part of the problem you're experiencing but I would recommend going this route to be in a better position when things don't work.
Posted on 01-19-2017 02:37 PM
@ericbenfer Thanks for posting the OU details, I believe that's the issue we are experiencing. Do I understand you correctly that if our setup is this:
If the above is true then we need to add OU=iMac Workstations, OU=Laptop Workstations to the AD Service Account in AD, correct?
Posted on 01-23-2017 08:11 AM
I can't find the specific document, but if the service account password that you are using to bind contains an exclamation anywhere in the password "!" it will not let you bind.
(hopefully it makes sense what I'm trying to explain)
once I find that document/note from Jamf I'll post it.
Posted on 01-23-2017 08:17 AM
(fyi: this is for JSS version 9.96)
This is what I was talking about:
[D-008806] The dsconfigad binary fails to bind a computer to a directory service if the service account password contains an exclamation point (!).